MDM Integration Module

Datasheet

Analyst White Paper

Solution Brief

Overview

Mobile Device Management (MDM) systems are gaining rapid adoption among enterprises that wish to better manage the plethora of smartphones and tablet computers that are in common use by businesspeople. MDM systems can help IT security managers secure the sensitive corporate data that is frequently stored on such devices. However, MDM by itself is not a complete security solution for the following reasons:

MDM systems can only see and manage devices that have already been enrolled in the MDM system. This leaves IT Managers blind to unmanaged devices on the network.

MDM systems typically do not control access to the network, they typically control access to applications (for example, Microsoft Exchange). Thus, MDM does not prevent unauthorized access to data on the network, nor does MDM prevent infected or compromised devices from attacking the network. IT security managers need the ability to control where mobile devices can go on the network, enforcing policies based on the device type, operating system, compliance status, owner of the device, and logged-in user of the device.

MDM systems are often operated as another IT management silo, with another set of management screens, separate policies, and separate reports. Even worse, the MDM system is often managed by a different group of people than are responsible for computer security. This creates an opportunity for policies to be inconsistently applied and translated across the various IT management systems and groups.

The MDM Integration Module from ForeScout allows you to leverage your existing MDM solution within the broader context of unified security control that ForeScout CounterACT provides. The module links your MDM system to ForeScout CounterACT, bringing information about MDM-managed devices which are connected to the enterprise network to the CounterACT appliance, where the information is displayed alongside information about unmanaged mobile devices and devices that are outside the scope of your MDM system (such as PCs). From the CounterACT console, you can configure and enforce network security policies, monitor and report on policy adherence for devices in your organization – PCs, Macs, Linux, smartphones and tablets.

The MDM Integration Module, an optional plug-in for ForeScout CounterACT, is sold separately. It is one of several extended integrations that are available as part of the ForeScout ControlFabric architecture. ForeScout currently integrates with AirWatch, Fiberlink MaaS360, Citrix XenMobile, MobileIron and SAP – and more are on the way. When used in conjunction with your existing MDM system, ForeScout CounterACT and the MDM Integration Module provide:

Extended visibility by detecting unmanaged devices on the network in real-time.

Seamless enrollment and installation of MDM agents on unmanaged devices by initially placing them in a limited access network, assessing device type and ownership, directing them to an MDM installation web page, and then allowing network access once the device has passed required compliance checks.

Improved security by blocking unauthorized users and devices from the network, as well as imposing whatever limits you want on authorized devices.

Just-in-time compliance checks triggered by ForeScout CounterACT the moment a device connects to the network. Through bi-directional integration, CounterACT triggers the MDM system to immediately re-assess the device, and CounterACT bases its network access decision on the result of that assessment.

Policy-based blocking of unauthorized users and devices from the network, as well as enforcing any limits you want on authorized devices. ForeScout CounterACT can base network access control (NAC)decisions on many different factors including the type of device, operating system, ownership (corporate vs. BYOD), compliance status, enrollment in the MDM system, and several other factors.

Guest registration. If you wish to setup a guest network for personal mobile devices, you can use ForeScout CounterACT’s built-in guest registration system. Once a guest has been approved, CounterACT can dynamically enforce your security policies, such as restricting the user’s access to just the Internet.

Continuous monitoring. If malware exists on the mobile device and tries to propagate or interrogate your network, ForeScout CounterACT will detect the malicious behavior, block the threat, and can automatically quarantine or remove the mobile device from your network. ForeScout CounterACT includes ForeScout’s patented ActiveResponse™ technology which can detect and block zero-day threats.